本页面介绍如何使用 VPC Service Controls 问题排查工具来了解和诊断 VPC Service Controls 记录的问题。
VPC Service Controls 日志包含有关对受保护资源的请求的详细信息,以及 VPC Service Controls 拒绝该请求的原因。但是,这些详细信息有时并不明显,您可能需要花大量时间去理解日志。您可以使用 VPC Service Controls 问题排查工具诊断来自服务边界的拒绝。如需了解违规原因,请参阅调试被 VPC Service Controls 阻止的请求。
您还可以使用问题排查工具诊断来自使用试运行配置的服务边界的拒绝。
准备工作
如需排查 VPC Service Controls 违规问题,请确保您在组织级层具有 VPC Service Controls Troubleshooter Viewer 角色 (roles/accesscontextmanager.vpcScTroubleshooterViewer)。此角色不允许您修改边界或访问权限级别。
访问 VPC Service Controls 问题排查工具
问题排查工具仅在 Google Cloud 控制台中提供。
您可以使用 日Logs Explorer 或 VPC Service Controls 页面访问问题排查工具。
使用 Logs Explorer
使用日志浏览器,您可以直接从 VPC Service Controls 被拒问题的日志条目转到问题排查工具。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[],[],null,["# Diagnose issues by using the VPC Service Controls troubleshooter\n\nThis page describes how you can use the VPC Service Controls troubleshooter to\nunderstand and diagnose issues that VPC Service Controls logs.\n\nVPC Service Controls logs include details about requests to protected resources and\nthe reason why VPC Service Controls denied the request. However, these details aren't\nalways easily apparent and you might spend considerable time understanding the logs.\nYou can use the VPC Service Controls troubleshooter to diagnose denials\nfrom a service perimeter. For information on violation reasons, see [Debugging requests blocked by VPC Service Controls](/vpc-service-controls/docs/troubleshooting#debugging).\n\nYou can also use the troubleshooter to diagnose denials from a service perimeter\nthat uses a dry-run configuration.\n\nBefore you begin\n----------------\n\nTo troubleshoot a VPC Service Controls violation, make sure that you have\nthe VPC Service Controls Troubleshooter Viewer IAM role\n(`roles/accesscontextmanager.vpcScTroubleshooterViewer`) at the organization level. This role doesn't\nlet you modify perimeters or access levels.\n\nAccessing the VPC Service Controls troubleshooter\n-------------------------------------------------\n\nThe troubleshooter is available only in the Google Cloud console.\nYou can access the troubleshooter using either the [Logs Explorer](/logging/docs/view/logs-explorer-summary)\nor the VPC Service Controls page.\n\n### Using the Logs Explorer\n\nBy using the [Logs Explorer](/logging/docs/view/logs-explorer-summary), you can move directly from a\nlog entry for a VPC Service Controls denial to the troubleshooter.\n\nTo access the troubleshooter from a log entry, do the following:\n\n1. Go to the **Logs Explorer** page in the Google Cloud console.\n\n [Go to Logs Explorer](https://console.cloud.google.com/logs/query)\n2. In the Logs Explorer, use the denial's [unique ID to access the log\n entry](/vpc-service-controls/docs/retrieve-troubleshoot-errors#unique-id).\n\n3. In the **Query Results** box, in the row for the denial that you want to\n troubleshoot, click **VPC Service Controls** , and then click **Troubleshoot\n denial**.\n\n### Using the VPC Service Controls page\n\nFrom the **VPC Service Controls** page, you can troubleshoot a denial using\nits unique ID.\n\nBefore you begin, [obtain the unique ID](/vpc-service-controls/docs/retrieve-troubleshoot-errors#unique-id) for the denial that you want\nto troubleshoot.\n\nTo access the troubleshooter from the **VPC Service Controls**\npage, do the following:\n\n1. In the Google Cloud console navigation menu, click **Security** , and then\n click **VPC Service Controls**.\n\n [Go to VPC Service Controls](https://console.cloud.google.com/security/service-perimeter)\n2. If you are prompted, select your organization. You can access the **VPC Service Controls**\n page only at the organization level.\n\n3. On the **VPC Service Controls** page, click **Troubleshoot**.\n\n4. On the **VPC Service Controls Troubleshooter** page, in the\n **Unique identifier** box, enter the unique ID for the denial that you want\n to troubleshoot.\n\n5. Click **Troubleshoot**.\n\nWhat's next\n-----------\n\n- [Understanding VPC Service Controls audit logs](/vpc-service-controls/docs/audit-logging)\n- Learn how [VPC Service Controls unique identifier helps troubleshoot\n issues related to service perimeters](https://cloud.google.com/blog/products/identity-security/unique-identifier-helps-troubleshooting-vpc-service-controls-perimeter).\n- [Diagnose an access denial event using the VPC Service Controls violation\n analyzer](/vpc-service-controls/docs/violation-analyzer) ([Preview](/products#product-launch-stages))."]]
